Share this article on:
The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when those rules are violated? Who do you report HIPAA violations to?
Who do You Report HIPAA Violations To?
If you suspect that HIPAA Rules have been violated by a HIPAA covered entity – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – it is important for the violation to be reported to allow an investigation to take place.
HIPAA violations frequently occur as a result of human error, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules occur. A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future.
How Can Healthcare Employees Report HIPAA Violations?
If you are employed by a HIPAA-covered entity, who do you report HIPAA violations to? Ideally, the complaint should be filed with your HIPAA compliance officer, or failing that, the matter should be brought to the attention of your supervisor. This will give your employer the opportunity to act quickly to prevent any further violations of HIPAA Rules.
If action is not taken to address the problem, or if healthcare employees would rather bypass this step, they can submit a complaint to the Office for Civil Rights. In order for OCR to investigate, OCR will need to be informed of the suspected violation and should be provided with concise and specific information about the suspected breach, including when it occurred, if it is ongoing, and when it was discovered. Complaints must be filed within 180 days of discovery of the violation, any later and OCR will not investigate. Extensions may be granted under certain circumstances.
How Can Patients Report HIPAA Violations?
If you are a patient or health plan member, who do you report HIPAA violations to?
In the first instance, a complaint should be lodged with the covered entity in question to allow that entity to investigate internally and take action. Healthcare organizations employee a HIPAA compliance officer to oversee their compliance obligations. This is likely to be a dedicated role in a large healthcare organization, or smaller healthcare providers may assign compliance duties to an individual on top of other duties. The complaint should be directed to the HIPAA compliance officer.
Complaints can also be filed with the Office for Civil Rights. It is not a requirement to first report the incident to the covered entity. Patients can bypass this step submit a complaint to OCR about a privacy violation or another type of HIPAA violation that has come to their attention.
OCR will assess complaints for HIPAA violations and will conduct an investigation if there are grounds for a complaint. While anonymous complaints can be submitted, OCR will only investigate complaints if the complainant is named and contact details are provided. Complaints must be filed within 180 days of discovery of the violation and the suspected HIPAA violation should be clearly stated, as concisely as possible.